Wipro Detects Phishing Attack: Investigation in Progress

Indian IT service firm Wipro on Tuesday said that it has detected abnormal activities on some of its employee accounts due to an advanced phishing campaign. An investigation is continuing, the company tells Information Security Media Group.

The news comes following the blog KrebsOnSecurity reporting that India's third-largest IT outsourcing company was dealing with a multimonth intrusion.

Wipro's systems were seen being used as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems, the blog says. "Wipro's customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro's network," according to the blog.

In a statement, Wipro says: "Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact."

The firm tells ISMG that none of its customers' credentials have been affected, as was alleged in the blog.

Some security experts, however, say Wipro may be the victim of a nation-state sponsored attack.

"It is most likely by a nation-state. They use this modus operandi to breach a vendor network first and through that route the attack their customers," says a Bangalore-based security expert, who did not wish to be named. "That is because customers will consider Wipro's network safe. Taking advantage of this, attackers can slip under the radar and defenses as harmless traffic."

Some observers speculate that Cloud Hopper, a Chinese advanced persistent threat group, may be behind the attack. "Cloud Hopper targets managed service providers and uses it as a point of entry into their end clients," tweets Prashant Mali, cyber lawyer and advocate, Bombay High Court.

The attack on Wipro comes four months after two hackers associated with Chinese group APT10 were indicted by the U.S. Department of Justice for attempting to break into more than 45 U.S. technology companies and U.S. government agencies as well as several MSSPs.

In January 2019, the National Counterintelligence and Security Center launched a public campaign to educate businesses about the risks related to cyberattacks from foreign intelligence entities. The effort identified corporate supply chains as one of the primary targets, wherein threat actors attack a business' suppliers to gain access to the end client's corporate network, reports CRN.

Wipro employs 170,000 employees serving clients across six continents, including Fortune 500 customers in healthcare, banking communications and other industries. The company's stock declined about 2 percent to $4.30 in after-hours trading Monday.

Dissecting the Attack

According to the KrebsOnSecurity blog, one of Wipro's customers said at least 11 other companies were attacked, based on file folders found on the intruders' back-end infrastructure that were named after various Wipro clients.

Apparently, Wipro is also in the process of building out a new private email network because the intruders were thought to have compromised Wipro's corporate email system for some time, the blog says. The company is now telling concerned clients about specific "indicators of compromise," or clues that might signal an attempted or successful intrusion, a source told KrebsOnSecurity.

ISMG reached out to one of the customers of Wipro from the aviation industry to see if it was impacted by the phishing attacks. "I can't comment on this. Attacks keep happening. What matters is how best we are able to control damage," he said, asking to remain anonymous.

Mitigation Moves

Wipro says it is taking remedial measures to mitigate the damage done. "We are leveraging our industry-leading cybersecurity practices and collaborating with our partner ecosystem to collect and monitor advanced threat intelligence for enhancing security posture. We have also retained a well-respected, independent forensic firm to assist us in the investigation. We continue to monitor our enterprise and infrastructure at a heightened level of alertness," Wipro tells ISMG.

In an earlier interview ISMG, Sridhar Govardhan, CISO at Wipro, spoke about how a company can tackle a phishing campaign.

"When a phishing campaign is launched against a company, then you can pick this up on your threat intelligence platform through both open source as well as commercial feeds coming in," Govardhan said. "When you automate the process, the email campaign information is automatically passed on to the team handling email security. This has to be built in seamlessly and integrated across entire ecosystem."

The attack has led to some security practitioners questioning whether data should indeed be outsourced to other countries. "It's amazing how quickly people diss "outsourcing" (which is code for something else). Because you know, non-outsourced companies are never hacked," tweets Sandesh Anand, managing consultant at the IT company Synopsys.

The subtle racism on the comments section on that article is frankly disgusting. It's amazing how quickly people diss "outsourcing" (which is code for something else). Because you know, non-outsourced companies are never hacked

Phishing Attacks

Phishing attacks apparently increased in 2018, according to various news reports.

"Threat actors would identify the victim and use open source information to gather details. From here they build phishing attacks. One of the areas is email. Office 365 is a huge target," John Clay, director of global threat communications as Trend Micro, said in an interview with ISMG. "Phishing works because it preys on vulnerabilities of humans. Once you get access to email account, you can pretty much do what you want."

In a new development, Microsoft says intruders targeting its email services had access to email content for a single-digit percentage of the overall affected accounts, a more serious conclusion than first thought.

Geetha Nandikotur, managing editor, Middle East and Asia, contributed to this report.

About the Author

Suparna Goswami is principal correspondent at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.